LTM - Peer cert verify error - What is the Server IP

Question

Running a forward proxy with SSLo and I'm trying to find a more elegant way of hunting down the server my clients are going to when I see entries like this in /var/log/ltm log

Sep 18 08:16:46 BIGIP00 warning tmm2[22922]: 01260006:4: Peer cert verify error: self signed certificate in certificate chain (depth 1; cert /CN=TrustedSource_CA/O=SCC/C=US)

This specific warning entry happens so frequently that it is a large noise source that I want to get rid of by identifying the clients trying to go to whatever this is but the logs are not helpful in identifying the server IP that is generating this entry. Since this specific CN "TrustedSource_CA" happens frequently enough I can run a tcpdump/ssldump on the external interface of the BIG-IP to look for this specific certificate and the corresponding server side connection.

I haven't seen a way to turn on a level of logging that would assist me in determining the server IP address in question and looking for a better way to turn on logging that would capture the server IP address when a warning like this is produced at a low frequency.

youssef1 · Answer

Hi,&nbsp;Did you see this kb:https://support.f5.com/csp/article/K66643540&nbsp;This message occurs when one of the following conditions are&nbsp;met:You have a BIG-IP systems in a high availability (HA) configuration that is unable to&nbsp;verify&nbsp;a remote BIG-IP system's device trust SSL certificate.You have configured a Client SSL profile&nbsp;to require&nbsp;client certificate authentication&nbsp;and the BIG-IP system is unable to verify the client's SSL certificate.SSL certificate verification may fail for a variety&nbsp;of&nbsp;reasons. Two popular reasons include:The received SSL certificate has not been signed by a recognized CA.The received SSL certificate&nbsp;validity period has expired.&nbsp;&nbsp;My question is did you perform client  auth (cert)? &nbsp;regards

tabber · Answer

youssef,&nbsp;I did use that kb but forgot to mention in my original post.&nbsp;We are not performing client auth but on server SSL we are validating server SSL certificates against our Trusted CA list.  The F5 is operating properly in dropping these certificates so that is no my problem.  I'm trying to figure out what Server is responding with the bad certificate so I can back trace through either F5 logs or my Firewall logs to determine the clients that are reaching out to these misconfigured Servers.&nbsp;Thank you for your advice.

youssef1 · Answer

Hi,&nbsp;can you perform an ssldump between backend server and F5?&nbsp;https://support.f5.com/csp/article/K10209&nbsp;regards

tabber · Answer

So after some digging I do not think what I need is possible currently.   My initial thought was to do this via an iRule so I was looking at properties that would allow me to look at the Server Side SSL certificate, since I'm doing a L3 Outbound SSLo.  This lead me to look at the SSL properties https://clouddocs.f5.com/api/irules/SSL__cert.html but unfortunately documentation says it would error for server side context.  This means I wouldn't be able to use the event https://clouddocs.f5.com/api/irules/SERVERSSL_SERVERCERT.html; not sure if I could use X509 instead of SSL::cert https://clouddocs.f5.com/api/irules/X509.html  going to try this method soon.

Forum Discussion

LTM - Peer cert verify error - What is the Server IP

4 Replies

Recent Discussions

Pricing when used with aws waf

F5 Rseries R2600 Tenant sizing

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Advise on setting up IRULE

Related Content

iRULE regsub error

Vulnerabilities file doesn't contain Vulnerabilities Found And Verified By Qualys

iRule error

TCL Error with F5 Verified iRule "_sys_https_redirect"

Undefined procedure error in my Irule